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trap host system is copied into the cage directory. As described more 
fully below, the interface to the operating system kernel is modified 
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regarding an intruders activities), keep the intruder in the cage, and 
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NOVELTY - A control agent (60) interfaces with a GUI system (55) 
and monitors system activity. At least one data gathering component 
gathers kernel audit data (70) and syslog data (72). At least one 
correlation engine (78) interprets and analyzes the kernel audit data 
and the syslog data using at least one detection template. 

USE - As a host-based intrusion detection system (IDS) for 
monitoring events occurring in a computer system or network and 
analyzing the events for signs of security violations 

ADVANTAGE - Observes kernel audit data, network packets and system 
log files on target host, provides more accurate determinations (fewer 
false positives, fewer missed attacks) . Detects building blocks of 
attacks, not a variety of attack scenarios that may require frequent 
update. Detects insider attacks that do not use the network. Network 
traffic encryption has no impact. 

DESCRIPTION OF DRAWING (S) - The drawing shows a high level 
illustration -of the logical architecture according to the present 
invention. 
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kernel audit data 70 

syslog data 72 

correlation engine 78 
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(2) Method of detecting changes to log files; and 

(3) Method of detecting a race condition attack. 

USE - In host-based intrusion detection systems (IDSs) used in an 
enterprise environment for protecting host computer systems from 
exploits of known vulnerabilities, protecting from attacks coming in 
from network, for protecting against security policy violations within 
a system or enterprise and for protecting some applications and also 
for providing virus protection. 

ADVANTAGE - Detects intrusions accurately and communicates an alert 
and detailed information on the potential attack immediately. 
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illustration of the logical architecture. 
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eSafe Protect Desktop 2.1. 
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variety of actions upon discovering a virus and has a flexible 
scheduler as well. 

The sandbox feature makes eSafe stand out in this roundup. eSafe 
uses Windows virtual device drivers to monitor operations by other 
programs, particularly Internet-enabled programs, and ensure that they 
don't misbehave. . . 
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Get a positive ID on DDoS attackers 

Mazu's Traf f icMaster Inspector a good first step in identifying DDoS 
attacks . 

Byline: MANDY AN DRESS 

Journal: Network World Page Number: 55 

Publication Date: August 27, 2001 
Word Count: 1177 Line Count: 113 

Text: 

... on the network, but works best near the first-level routers, where it 
can directly monitor traffic to and from the Internet. Inspector connects 
to the data path via a passive... 

...of network traffic from routers for analysis. Inspector sits directly on 
the network connection and monitors all traffic, independent of the 
network routers for packet information. One reason Mazu's solution... 

... a great start in developing a fast, efficient distributed DoS solution. 
Its approach to separate monitoring and defense mechanisms does not make 
Inspector an optimal solution on its own. If we... 

. . . three main components are at work: user-level Mazu module, Mazu Kernel 
module and Mazu device driver . The user-level module is the brains of 
the product. It performs the packet analysis... 

. . . and routing to keep any latency introduced by its presence to an 
absolute minimum. The device driver optimizes packet processing, 

enabling Inspector to quickly and efficiently capture packets off the 
network. Initially. . . 

... These administration tools provide four main functions: configuration, 
attack detection, attack characterization and traffic analysis monitoring 
.Configuration settings allow you to enable SNMP monitoring and set 
system thresholds. With SNMP enabled, an alert can be sent via your network 

. . . overview page during the attack. The attack incident report page 
provides detailed information on attack histories and lets you drill down 
to specific packet details for each suspected attack . Inspector lets... 
identify distributed DoS attacks in large carrier-class networks. Starting 
at $100,000 for only monitoring and attack characterization, it is not a 
solution for the faint of heart. Overall, Traf f icMaster Inspector provides 
fast, efficient anomaly -based monitoring , but it does not provide any 
filtering recommendations. To do that, administrators must create their... 
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Firewall framework for network device, has firewall engine with layer 
interface for returning action to requesting layer upon receiving layer 
parameters e.g. port number, for packet related to processor 
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Abstract (Basic) : EP 1484884 A2 

NOVELTY - The framework has a set of layer processors, each 
processes layer parameters e.g. port number, for a packet related to 
the processor. Each processor issues a classification request with the 
parameters. A kernel firewall engine (256) has a layer interface to 
return an action to a requesting layer upon receiving the parameters. A 
lookup component identifies from a matching filter the action to be 
returned by the interface. 

DETAILED DESCRIPTION - INDEPENDENT CLAIMS are also included for the 
following : 

(a) a method of communicating between a layer process and a 
firewall process 

(b) a computer-readable medium for executing computer-readable 
instructions for facilitating a firewall framework 

(c) a computer-readable medium for executing computer-readable 
instructions for communicating between a layer process and a firewall 
process in an operating system. 

USE - Used for providing multi-layering filtering of packet in a 
network device of a computer system that is utilized with personal 
computer, server computer, handheld or laptop device, multiprocessor 
system, microprocessor-based system, set top box, programmable consumer 
electronics, network PC, minicomputer and mainframe computer, 
distributed computing environment that includes above systems or 
devices . 

ADVANTAGE - The firewall engine returns the action to the 
requesting layer upon receiving the parameters, thus permitting 
filtering of packets at all layers within a network stack, and hence 
providing more functionality such as intrusion detection, logging 
of packets and parental control features. 

DESCRIPTION OF DRAWING (S) - The drawing shows a block diagram 
illustrating firewall architecture. 
Kernel firewall engine (256) 

Filter engine application programmable interface (266) 

Filters (282) 



Boot time policy (286) 
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Kernel ' interface device in intrusion detection system for system 
security and method therefor 

Patent Assignee: LGNSYS INC (LGNS-N) 
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Patent Family: 

Patent No Kind Date Applicat No Kind Date Week 
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Abstract (Basic) : KR 2004015484 A 

NOVELTY - A kernel interface device in an IDS ( Intrusion 
Detection System) for system security and a method therefor are 
provided to monitor any event without exception by recognizing a 
kernel interface, which can execute monitoring and reporting for 
system event generation at the same with system booting, as a driver, 
software-type hardware, and making it operated in the early stage of 
booting . 

DETAILED DESCRIPTION - A kernel interface device in an IDS ( 
Intrusion Detection System) for system security consists of a ring '0 f 

monitor driver{310), a ring '3' application program ( 330 ) , and a 
kernel interface driver(320). The ring '0 ! monitor driver(310) 
monitors events of a ring '0' level for the transmission and reception 
of driver information between a ring '0' kernel mode and a ring '3' 
user mode. The ring ? 3 ! application program (330) is executed in the 
ring '3' user mode. The kernel interface driver (320) transmits the 
events monitored between the ring '0' monitor driver (310) and the 
ring '3' application program ( 330 ) . The kernel interface driver(320) 
is comprised of a data channel ( 32 1 ) , a cyclic data buffer (322), a 
system service thread (323), a kernel inter face ( 331 ) , and a 
synchronization information buffer (340) . 
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Profiling system for runtime environments, has profiling tool that 
creates runtime metric including application metric and 
non-application-code metric from software application and 
non-application-code component 
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Abstract (Basic) : US 20030192036 Al 

NOVELTY - The system has a software application written in a 
platform-independent programming language. A non-application-code 
component is invoked by the software application. A profiling tool 
creates a runtime metric that includes an application metric and a 
non-application-code metric. The tool creates the application and 
non-application-code metrics from the software application and 
non-application-code component . 

DETAILED DESCRIPTION - An INDEPENDENT CLAIM is also included for a 
method of profiling the runtime environment of an application-code 
component . 

USE - Used for runtime environments. 

ADVANTAGE - The profiling tool can generate runtime profiles 
relating to both the software application and the non-application-code 
component invoked by the software application, thereby the system 
comprehensively profiles a runtime environment in a non- intrusive 
manner . 

DESCRIPTION OF DRAWING (S) - The drawing shows a process-flow 
diagram of a kernel processing subsystem, - and interactions between a 
kernel profiling subsystem and a virtual machine to generate 
comprehensive runtime metrics. 
Profiler (45) 
Virtual machine (62) 
Kernel instrumentation trace (92) 
Kernel instrumentation points (94) 
Kernel instrumentation buffer (96) 
Kernel instrumentation data (98) 
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Virus and intrusion protection apparatus for computer, has switch which 
when open disconnects main core of computer from dedicated network 
board, WWW and e-mail 
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Abstract (Basic) : US 20020095607 Al 

NOVELTY - A dedicated network board (72) has duplicated computing 
components to isolate main core (74) of computer or network server 
from external communication with WWW (90). A switch (1A) when open 
disconnects the main core from the dedicated network board and WWW, 
e-mail and other external networks. 

DETAILED DESCRIPTION - An INDEPENDENT CLAIM is included for a 
method for protecting a computer from a virus, hacker or worm. 

USE - For protecting computer e.g. personal computer, laptop or 
computer networks from virus, hacker or worm. 

ADVANTAGE - Since the main core is never exposed to WWW and/or 
other external networks while communication sessions commence, no 
hacker, worm or virus can invade, infect or affect the main core . The 

temporary storage media of the network board can be easily flushed 
and restored. 

DESCRIPTION OF DRAWING (S) - The figure shows a computer network 
with the virus and intrusion protection apparatus. 
Switch (1A) 
WWW (90) 

Dedicated network board (72) 
Main core of computer (74 ) 
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Computer architecture for monitoring events occurring in computer 
system or network and analyzing events for signs of security violations 
has at least one correlation engine to interpret and analyze kernel 
audit and syslog data 
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Abstract (Basic) : US 20020083343 A 

NOVELTY - A control agent (60) interfaces with a GUI system (55) 
and monitors system activity. At least one data gathering component 
gathers kernel audit data (70) and syslog data (72) . At least one 
correlation engine (78) interprets and analyzes the kernel audit 
data and the syslog data using at least one detection template. 

USE - As a host-based intrusion detection system ( IDS ) for 
monitoring events occurring in a computer system or network and 
analyzing the events for signs of security violations 

ADVANTAGE - Observes kernel audit data, network packets and 
system log files on target host, provides more accurate 
determinations (fewer false positives, fewer missed attacks). Detects 
building blocks of attacks, not a variety of attack scenarios that may 
require frequent update. Detects insider attacks that do not use the 
network. Network traffic encryption has no impact. 

DESCRIPTION OF DRAWING ( S ) - The drawing shows a high level 
illustration of the logical architecture according to the present 
invention . 

GUI system 55 

control agent 60 
kernel audit data 7 0 

syslog data 7 2 

correlation engine 7 8 
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System performance monitoring method for single processor and 
multiprocessor system - involves displaying call count and data collected 
after execution of instrumentation phase for each selected code segment 
which are selected during burst counting phase 
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Abstract (Basic) : US 5896538 A 

NOVELTY - A burst counting phase is executed and then execution is 
switched over to an instrumentation phase, when predetermined number of 
code segments are selected in burst counting phase. Instrumentation 
phase for each selected code segment is executed and call count and 
data collected for each segment during execution is displayed in a 
display device. DETAILED DESCRIPTION - During burst counting phase, 
predetermined number of instructions are executed and call count for 
one or more code segments is stored. The call count indicates number of 
times a particular- code segment is executed. Then one or more code 
segments are selected and call count for each segment is equal to a 
predetermined value. After display of call count and data, switching 
over to burst counting phase from instrumentation phase is performed, 
when selected code segment completes execution. 

USE - For single processor and multiprocessor system. 

ADVANTAGE - Enables programmer to improve performance of system as 
statistic summary of system is presented to user after dividing into 
user code and kernel code. Identifies frequently executed code paths 
in system with minimum intrusion to system function and minimum usage 
of memory capacity. DESCRIPTION OF DRAWING (S) - The figure shows block 
diagram illustrating system performance monitoring method. 
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Intrusion and misuse detection system for data processing system - 
has misuse engine which compares states of system inputs to predetermined 
states, and output mechanism produces notification signal upon detection 
of misuse 
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Abstract (Basic) : CA 2144105 A 

The intrusion and misuse detection system (10) for data 
processing system uses processing system inputs. This includes 
processing system audit trail records (18), system log file data 
(16), and system security state data (14). A misuse selector (20) 
allows the detection system to analyse the process inputs for a 
selected subset of misuses. 

The processing system inputs are then converted into states which 
are compared, through a misuse engine (30), to a predefined set of 
states and transitions until a selected misuse is detected . Once a 
misuse has been detected , an output mechanism generates a signal for 
use by notification and storage mechanism. The detection system then 
generates a text-based output report for a user to view or store. 

ADVANTAGE - Minimises number of false positives. Eliminates need 
for expert programming. Improved efficiency and simplified development 
and testing. 
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ABSTRACT 



PROBLEM TO BE SOLVED: To secure the security of systems to be 
simultaneously and parallel operated without altering the systems by making 
a monitoring system monitor the contents of inter-system communications 
with the other system and an illegal inter-system communication control 
from the other system and preventing the influence of an illegal intrusion 

and control when an illegality is detected except for the monitoring 

system . 

SOLUTION: A multiplex system parallel operation kernel 300 simultaneously 
and parallel operates plural systems on one computer. A system interruption 
control part 301 controls the interruption between respective systems and 
performs assigning or scheduling of processors. Besides, a system operation 
memory space managing part 302 manages the memories of respective systems 
and assigns- memories for each of respective systems. When an illegal access 
is performed from one system to the multiplex system parallel operation 
kernels 300, the multiplex system parallel operation kernel 300 enables 
a general system itself to stop while using a system start/end control part 
304. 
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